Security
Download as PPTX, PDF0 likes30 views
AWS and customers share security responsibility, with AWS securing infrastructure and customers securing applications and data. AWS provides security services like WAF for blocking attacks and Shield for DDoS protection. Trusted Advisor provides account security advice while Inspector checks EC2 instance configurations for vulnerabilities.
Security
- 1. Intro
- 2. AWS Cloud Security 2 ▪ Cloud security at AWS is the highest priority. As an AWS customer, you will benefit from a data center and network architecture built to meet the requirements of the most security-sensitive organizations. ▪ An advantage of the AWS cloud is that it allows customers to scale and innovate, while maintaining a secure environment. Customers pay only for the services they use, meaning that you can have the security you need, but without the upfront expenses, and at a lower cost than in an on-premises environment.
- 3. AWS Compliance & Security 3 ▪ Security and Compliance is a shared responsibility between AWS and the customer. ▪ This shared model can help relieve customer’s operational burden as AWS operates, manages and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the service operates. ▪ The customer assumes responsibility and management of the guest operating system (including updates and security patches), other associated application software as well as the configuration of the AWS provided security group firewall. ▪ Customers should carefully consider the services they choose as their responsibilities vary depending on the services used, the integration of those services into their IT environment, and applicable laws and regulations. ▪ The nature of this shared responsibility also provides the flexibility and customer control that permits the deployment. As shown in the chart below, this differentiation of responsibility is commonly referred to as Security “of” the Cloud versus Security “in” the Cloud.
- 4. AWS Compliance & Security 4 ▪ AWS responsibility “Security of the Cloud” - AWS is responsible for protecting the infrastructure that runs all of the services offered in the AWS Cloud.This infrastructure is composed of the hardware, software, networking, and facilities that runAWS Cloud services. ▪ Customer responsibility “Security in the Cloud” – Customer responsibility will be determined by the AWS Cloud services that a customer selects.This determines the amount of configuration work the customer must perform as part of their security responsibilities. For example, services such as Amazon Elastic Compute Cloud (Amazon EC2), AmazonVirtual Private Cloud (AmazonVPC), and Amazon S3 are categorized as Infrastructure as a Service (IaaS) and, as such, require the customer to perform all of the necessary security configuration and management tasks
- 5. AWS Compliance & Security 5 ▪ AWS responsibility “Security of the Cloud” - AWS is responsible for protecting the infrastructure that runs all of the services offered in the AWS Cloud.This infrastructure is composed of the hardware, software, networking, and facilities that runAWS Cloud services. ▪ Customer responsibility “Security in the Cloud” – Customer responsibility will be determined by the AWS Cloud services that a customer selects.This determines the amount of configuration work the customer must perform as part of their security responsibilities. For example, services such as Amazon Elastic Compute Cloud (Amazon EC2), AmazonVirtual Private Cloud (AmazonVPC), and Amazon S3 are categorized as Infrastructure as a Service (IaaS) and, as such, require the customer to perform all of the necessary security configuration and management tasks
- 6. AWS Compliance & Security 6 Shared Responsibility Model
- 7. AWS Compliance & Security 7 ▪ Inherited Controls – Controls which a customer fully inherits from AWS. – Physical and Environmental controls ▪ Shared Controls – Controls which apply to both the infrastructure layer and customer layers, but in completely separate contexts or perspectives. In a shared control, AWS provides the requirements for the infrastructure and the customer must provide their own control implementation within their use of AWS services. Examples include: – Patch Management – AWS is responsible for patching and fixing flaws within the infrastructure, but customers are responsible for patching their guest OS and applications. – Configuration Management – AWS maintains the configuration of its infrastructure devices, but a customer is responsible for configuring their own guest operating systems, databases, and applications. – Awareness &Training - AWS trains AWS employees, but a customer must train their own employees. ▪ Customer Specific – Controls which are solely the responsibility of the customer based on the application they are deploying within AWS services. Examples include: – Service and Communications Protection or Zone Security which may require a customer to route or zone data within specific security environments.
- 8. AWS WAF 8 ▪ AWSWAF is a web application firewall that lets you monitor the HTTP and HTTPS requests that are forwarded toAmazon CloudFront or an Application Load Balancer. ▪ AWSWAF also lets you control access to your content. ▪ Based on conditions that you specify, such as the IP addresses that requests originate from or the values of query strings, CloudFront or an Application Load Balancer responds to requests either with the requested content or with an HTTP 403 status code (Forbidden). ▪ You also can configure CloudFront to return a custom error page when a request is blocked.
- 9. AWS WAF Working 9 ▪ You use AWS WAF to control how Amazon CloudFront or an Application Load Balancer responds to web requests.You start by creating conditions, rules, and web access control lists (web ACLs).You define your conditions, combine your conditions into rules, and combine the rules into a web ACL. – Conditions ▪ Conditions define the basic characteristics that you want AWSWAF to watch for in web requests – Rules ▪ You combine conditions into rules to precisely target the requests that you want to allow, block, or count. AWSWAF provides two types of rules – Web ACLs ▪ After you combine your conditions into rules, you combine the rules into a web ACL. This is where you define an action for each rule—allow, block, or count—and a default action – A default action ▪ The default action determines whetherAWSWAF allows or blocks a request that doesn't match all the conditions in any of the rules in the web ACL.
- 10. AWS Shield 10 ▪ AWS provides AWS Shield Standard and AWS Shield Advanced for protection against DDoS attacks. ▪ AWS Shield Standard is automatically included at no extra cost beyond what you already pay forAWSWAF and your other AWS services. ▪ For added protection against DDoS attacks, AWS offersAWS Shield Advanced. ▪ AWS Shield Advanced provides expanded DDoS attack protection for yourAmazon EC2 instances, Elastic Load Balancing load balancers, CloudFront distributions, and Route 53 hosted zones.
- 11. AWS Shield Working 11 ▪ A distributed denial of service (DDoS) attack is an attack in which multiple compromised systems attempt to flood a target, such as a network or web application, with traffic. A DDoS attack can prevent legitimate users from accessing a service and can cause the system to crash due to the overwhelming traffic volume. ▪ AWS provides two levels of protection against DDoS attacks: AWS Shield Standard and AWS Shield Advanced. – AWS Shield Standard – AWS Shield Advanced
- 12. AWS Shield Working 12 ▪ AWS Shield Standard – All AWS customers benefit from the automatic protections of AWS Shield Standard, at no additional charge. – AWS Shield Standard defends against most common, frequently occurring network and transport layer DDoS attacks that target your web site or applications. – WhileAWS Shield Standard helps protect allAWS customers, you get particular benefit if you are using Amazon CloudFront and Amazon Route 53. – These services receive comprehensive availability protection against all known infrastructure (Layer 3 and 4) attacks.
- 13. AWS Shield Working 13 ▪ AWS Shield Advanced – For higher levels of protection against attacks targeting your web applications running on Amazon EC2, Elastic Load Balancing (ELB), CloudFront, and Route 53 resources, you can subscribe to AWS Shield Advanced. – AWS ShieldAdvanced provides expanded DDoS attack protection for these resources.
- 14. AWS Trusted Advisor 14 ▪ Trusted Advisor provides advice about yourAWS Account in the areas of: – Cost Optimization – FaultTolerance – Performance – Service Limits – Security It highlights potential problems with the way you use AWS.
- 15. AWS Inspector 15 ▪ Amazon Inspector checks the configuration of EC2 instances. An agent runs on EC2 instances and checks operating system patches, known vulnerabilities, and common issues.
- 16. AWS Inspector vs Trusted Advisor 16 ▪ Trusted Advisor applies to the AWS account and AWS services ▪ Amazon Inspector applies to the content of multiple EC2 instances
- 17. AWS Inspector vs Trusted Advisor 17 ▪ Trusted Advisor applies to the AWS account and AWS services ▪ Amazon Inspector applies to the content of multiple EC2 instances
- 18. Summary 18 AWS Shared Security Responsibility Model
Editor's Notes
- #7: https://aws.amazon.com/compliance/shared-responsibility-model/
- #15: https://aws.amazon.com/blogs/aws/route53-cloudtrail-checks-for-the-aws-trusted-advisor/
- #16: https://blog.cloudthat.com/amazon-inspector-application-security-service-in-aws-cloud/
- #19: https://www.slideshare.net/AlertLogic/the-aws-shared-responsibility-model-presented-by-amazon-web-services